###
###	Generic UNIX messages (various platforms)
### $Id: unix.txt,v 1.1 2002/03/09 18:26:23 emf Exp $
###

# Syslog restarts.
'^.{15,} (.*) syslogd.*restart' - - - 0 ignore
'^.{15,} (.*) syslogd: exiting on signal (.*)' - - - 0 ignore
'last message repeated' - - - 0 ignore



# This might come in handy as part of another context, but by itself
# we don't generally care a whole lot.
'^.{15,} (.*) identd\[.* Connection from (.*)' - - - 0
	open "$3" - 5000 10800 1800
	ignore 



### cron jobs we know all about
'.* CRON\[.*newsyslog.*' - - - 0 ignore
'.* CRON\[.*adjkerntz.*' - - - 0 ignore
'.* CRON\[.* \(root\) CMD .* /etc/(daily|weekly|monthly) .*' - - - 0 ignore
'.* CRON\[.* \(root\) CMD .* periodic (daily|weekly|monthly) .*' - - - 0 ignore
'.* anacron\[.* Updated timestamp for job .*' - - - 0 ignore

###
### CRON Messages 
###
'^.{15,} (.*) crontab\[(.*)\]: \((.*)\) BEGIN EDIT \((.*)\)' - - - 0 
	open "$2 crontab\\[$3\\]:" - 100 1800 300
	ignore

# replace only means they did something.. END will cancel the whole thing
'^.{15,} (.*) crontab\[(.*)\]: \((.*)\) REPLACE \((.*)\)' - - - 0
	rule before 
	'^.{15,} (.*) crontab\[(.*)\]: \((.*)\) END EDIT \((.*)\)' - '.*' - 1800
		report "/usr/local/bin/surfmailer -r root -S \"$5 crontab changed on $2 by $4\"" "$2 crontab\\[$3\\]:"

'^.{15,} (.*) crontab\[(.*)\]: \((.*)\) END EDIT \((.*)\)' - - - 0 
	delete "$2 crontab\\[$3\\]:"

# someone running crontab -l
'^.{15,} (.*) crontab\[.* \((.*)\) LIST \((.*)\)' - - - 0
	pipe "/usr/local/bin/surfmailer -r root -S \"User $3@$2 examined crontab for $4\""
	
# cron server on host $2, user $3 refreshed crontab $4
'^.{15,} (.*) cron\[.* \((.*)\) RELOAD \((.*)\)' - - - 0 
	pipe "/usr/local/bin/surfmailer -r root -S \"cron on $2 reloaded crontab $4\""

###
### SU
###

'^.{15,} (.*) sudo: (.*) : .* incorrect password.* : TTY=(.*) ; PWD=(.*) ; USER=(.*) ; COMMAND=(.*)' - - - 0 
	pipe "/usr/local/bin/surfmailer -r root -S \"failed sudo password by $3@$2\""
'.* sudo: (.*) : TTY=(.*) ; PWD=(.*) ; USER=(.*) ; COMMAND=(.*)' - - - 0 ignore


'^.{15,} (.*) su: BAD SU (.*) to (.*) on (.*)' - - - 0
	pipe "/usr/local/bin/surfmailer -r root -S \"failed su by $3@$2 to $4 on $5\""

'^.{15,} (.*) login: ROOT LOGIN \((.*)\) ON (.*)' - - - 0
	pipe "/usr/local/bin/surfmailer -r root -S \"ROOT LOGIN on $2 $3 $4\""

'^.{15,} (.*) reboot: rebooted by (.*)' - - - 0 
	pipe "/usr/local/bin/surfmailer -r root -S \"$2 rebooted by $3\""

'^.{15,} (.*) halt: halted by (.*)' - - - 0 
	pipe "/usr/local/bin/surfmailer -r root -S \"$2 halted by $3\""

# login events
'^.{15,} (.*) PAM_pwdb\[.*\]: \((.*)\) session opened for user (.*) by (.*)' - - - 0 ignore
'^.{15,} (.*) PAM_pwdb\[.*\]: \((.*)\) session closed for user (.*)' - - - 0 ignore

# This message doesn't give us much useful info by itself, but it alerts us 
# that there is more crap coming soon.
'^.{15,} (.*) PAM_pwdb\[.*\]: check pass; user unknown' - - - 0 ignore

# However, this is a useful message 
'^.{15,} (.*) login\[[0-9][0-9]*\]: FAILED LOGIN' - - - 0 
	pipe "/usr/local/bin/surfmailer -r root -S \"FAILED LOGIN on $2\""

'^.{15,} (.*) login: login on (.*) as (.*)' - - - 0 ignore



### System Boot Messages
'^.{15,} (.*) /bsd: OpenBSD.*' - - - 0 
	open "$2" - 2500 600 180 
	  report "/usr/local/bin/surfmailer -r root -S \"Boot Message from $2\"" "$2"
'^.{15,} (.*) /kernel: (Copyright|FreeBSD)' - - - 0
	open "$2" - 2500 600 180
	  report "/usr/local/bin/surfmailer -r root -S \"Boot Message from $2\"" "$2"

'^.{15,} (.*) kernel: Unable to handle kernel NULL pointer dereference' - - - 0
	open "$2" - 5000 600 180
	report "/usr/local/bin/surfmailer -r root -S \"linux crash on $2\"" "$2"

### Printers
'^.{15,} (.*)  printer:' - - - 0 
	open "$2" - 1000 1800 300
	report "/usr/local/bin/surfmailer -r root -S \"Printer message from $2\"" "$2"


#	Catch anything else that we haven't seen before.
#	This should be at the very bottom of your config file.
#
'^.{15} (\w+) .*' - - - 0 
	open "$2" - 5000 600 30 
	  report "/usr/local/bin/surfmailer -r root -S \"Unknown Message from $2\"" "$2"

